UK businesses using Microsoft Copilot must verify that the service meets the data protection standards set by the UK General Data Protection Regulation and the Data Protection Act 2018. Many organizations worry about how Copilot processes prompts, stores conversation history, and accesses Microsoft Graph data. These concerns are valid because Copilot operates as a cloud service that interacts with your tenant’s Microsoft 365 data. This article explains the specific compliance commitments Microsoft makes, the controls administrators can configure, and the steps to align Copilot usage with UK data protection law.
Key Takeaways: Microsoft Copilot UK GDPR and DPA 2018 Compliance
- Microsoft 365 admin center > Settings > Org settings > Copilot > Data protection: Confirm that data boundary settings restrict Copilot processing to the UK region.
- Microsoft Purview compliance portal > Data lifecycle management > Retention labels: Apply retention policies to Copilot conversation logs to meet DPA 2018 storage limits.
- Azure AD > Enterprise applications > Microsoft Copilot Service > Permissions: Review and revoke any Graph API permissions that Copilot does not require for your use case.
How UK GDPR and the Data Protection Act 2018 Apply to Copilot
UK GDPR is the domestic version of the EU General Data Protection Regulation, retained after Brexit. The Data Protection Act 2018 supplements UK GDPR with additional rules for law enforcement, intelligence services, and exemptions. Together they require that any controller processing personal data of UK residents must do so lawfully, fairly, and transparently. They also mandate data minimization, purpose limitation, storage limitation, and appropriate technical and organizational measures.
Microsoft Copilot processes prompts that may contain personal data. When a user asks Copilot to summarize an email, draft a contract clause, or analyze a spreadsheet, the prompt and the underlying data from Microsoft Graph travel through Microsoft’s cloud infrastructure. Under UK GDPR, the organization that licenses Microsoft 365 is the data controller. Microsoft acts as a data processor. The controller must ensure that the processor provides sufficient guarantees to implement appropriate technical and organizational measures.
Microsoft’s Data Protection Addendum for Microsoft 365 includes commitments that apply to Copilot. The DPA incorporates the Standard Contractual Clauses for international transfers, which are recognized as a valid transfer mechanism under UK GDPR. Microsoft also maintains certifications such as ISO 27001, SOC 2 Type II, and the UK Cyber Essentials Plus scheme. These certifications demonstrate that Microsoft has implemented a security management system that aligns with UK expectations.
The key compliance areas for Copilot are data residency, purpose limitation, data subject rights, and the use of AI for automated decision-making. Each area has specific controls that administrators can configure in the Microsoft 365 admin center and the Microsoft Purview compliance portal.
Steps to Configure Copilot for UK GDPR Compliance
- Verify data residency in the Microsoft 365 admin center
Go to the Microsoft 365 admin center and navigate to Settings > Org settings > Copilot. Under Data protection, confirm that the data processing location is set to the United Kingdom. This setting ensures that all Copilot prompts and responses are stored and processed within UK data centers. If the option is not visible, your tenant may have a multi-geo configuration that requires additional setup. - Review and limit Copilot Graph permissions
Open Azure Active Directory, then go to Enterprise applications > Microsoft Copilot Service. Under Permissions, review the Microsoft Graph permissions that Copilot has been granted. Revoke any permissions that are not essential for your intended Copilot use cases. For example, if you only use Copilot in Word and Excel, you can remove permissions for Teams messages or SharePoint site collections that contain sensitive personal data. - Apply retention labels to Copilot conversation logs
In the Microsoft Purview compliance portal, go to Data lifecycle management > Retention labels. Create a label specifically for Copilot conversation logs. Set the retention period to the shortest duration that meets your business need, typically 30 days or less. Publish the label to all users and apply it automatically using a retention policy that targets the Copilot conversation dataset. - Enable data subject request handling in Purview
Go to the Microsoft Purview compliance portal and open Data subject requests. Create a request template for Copilot data. When a UK data subject exercises their right of access, erasure, or portability under UK GDPR, use this template to search Copilot conversation logs. Microsoft provides a content search tool that can locate prompts and responses containing the data subject’s personal data. - Configure audit logging for Copilot interactions
In the Microsoft 365 admin center, go to Security > Audit. Enable audit log recording for all Copilot-related events. This captures who used Copilot, when, and what data was accessed. Retain audit logs for at least the minimum period required by your data protection policy. UK GDPR does not specify a fixed retention period for logs, but the ICO recommends retaining them no longer than necessary for accountability purposes. - Limit Copilot access to specific user groups
In the Microsoft 365 admin center, go to Users > Active users. Select a user and go to Licenses and apps. Toggle Copilot off for users who do not need it. For more granular control, use Azure AD conditional access policies to restrict Copilot access to users in specific security groups or from managed devices only.
If Copilot Still Raises Compliance Concerns
Copilot processes prompts outside the UK region
If you see prompts being processed in a data center outside the UK, check your tenant’s data residency configuration. Go to the Microsoft 365 admin center and verify that the default data location for your tenant is set to the United Kingdom. If you use a multi-geo setup, ensure that each user’s preferred data location is set to UK. Contact Microsoft support if the Copilot data processing location option is missing from your admin center.
Copilot accesses personal data that it should not
Review the Microsoft Graph permissions as described in step 2. If Copilot still returns data from sources that contain personal data, use sensitivity labels in Microsoft Purview to classify documents and emails. Then configure Copilot to exclude items with specific sensitivity labels from its search scope. This prevents Copilot from reading or summarizing documents that contain special category data under UK GDPR.
Data subject requests cannot locate Copilot logs
Ensure that audit logging is enabled and that retention labels are applied correctly. If logs are missing, check the retention policy to confirm that it is targeting the correct dataset. In Purview, run a content search for the data subject’s name or email address in the Copilot conversation dataset. If the search returns no results, extend the search to include Exchange mailboxes and SharePoint sites where Copilot interactions may have been stored as drafts or shared documents.
Copilot for Microsoft 365 vs Copilot Pro: UK Data Protection Differences
| Item | Copilot for Microsoft 365 | Copilot Pro |
|---|---|---|
| Data processing location | Configurable to UK region via admin center | Fixed to consumer region, typically US or EU |
| Data subject request tooling | Microsoft Purview content search and DSR templates | No admin tooling; user must contact Microsoft support |
| Retention policy control | Full control via Purview retention labels | No retention policy control |
| Audit logging | Detailed audit log of all Copilot events | Limited to basic sign-in logs |
| Graph data access scope | Tenant-wide with admin-controlled permissions | Only user’s own Microsoft account data |
| DPA coverage | Covered under Microsoft 365 DPA with UK SCCs | Consumer terms of service; no DPA |
UK businesses that process personal data must use Copilot for Microsoft 365 rather than Copilot Pro. Only the enterprise version provides the administrative controls, data residency options, and DPA coverage required to meet UK GDPR and DPA 2018 obligations. Copilot Pro is designed for individual consumers and does not offer the same compliance guarantees.
After configuring the settings described above, run a test with a sample prompt that contains mock personal data. Use the Microsoft Purview compliance portal to verify that the prompt and response are stored in the UK region, that the retention label is applied, and that the audit log captures the event. This validation confirms that your Copilot deployment meets the technical and organizational measures required under UK GDPR and the Data Protection Act 2018.
Review the ICO guidance on AI and data protection periodically, as regulatory expectations for generative AI services continue to evolve. Consider setting up a recurring compliance review every six months to reassess Copilot permissions, retention policies, and data residency settings. This proactive approach ensures that your organization remains compliant as Microsoft updates Copilot features and as UK data protection law develops.